Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

September 20, 2013

Phun with PhishingPosted by Jim Macdonald at 12:33 PM * 20 comments

My goodness! Look what showed up as a pop-under in a new window as I went cruising around the web this morning!

This had opened in a new window. I didn’t notice it right away; who knows what page had it hitching along like a lamprey. (I’m told that things like this infect the ads that are served by legitimate ad-servers that are installed on legitimate pages.)

It seemed bogus to me: For one thing I’d just updated Firefox, and Firefox’s update notices don’t appear in anything even close to this format.

The full text reads:

Outdated Browser Detected
You are currently using - Firefox 24 - which is now outdated
Please Update The Latest Browser Version (Recommended)

UPDATES IN THE NEWEST BROWSER VERSION:1. Security

1.1 The newest browser version protects you better against scams, viruses, trojans, phishing and other threats. They also fix security holes in your current browser!2. Speed

2.1 Every new browser generation improves speed3. Compatibility

3.1 Websites using new technology will be displayed more correctly4. Comfort & better experience

4.1 WIth new features, extensions and better customisability, you will have a more comfortable web-experience

The file it asks you to download is called “Firefox_setup.exe.” What that is, according to AVG, is adware plus a trojan dropper.

This is a pretty good malware site, as such things go. At least all the words were spelled right. Only one capitalization error. I have no doubt that it will fool some of the unwary.

The greyed-out fine print at the bottom of the page reads,

Privacy Policy · Terms & Conditions · Uninstall · Contact
Disclaimer: We are not affiliated nor partnered, with Firefox. Firefox has not authored, participated in, or in any way reviewed this advertisement or authorized it. All trademarks, service marks, logos, and/or domain names (including the names of products and retailers) are property of their respective owners.
Modified Installer: This website is distributing custom installers which are different from the originally available distribution. These new installers comply with the original software manufacturers’ policies and terms & conditions, however, they are not the originals. Optimum Installer is an install manager, which manages the installation of your chosen software. In addition to managing your download and installation, Optimum Installer will offer free popular software that you may be interested in. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows’ Add/Remove Programs.

chris @ 5: Not quite the same, but these days quite a fraction of the Nigerian 419 scams are aimed at addressing people who have been taken by previous 419 scams, and offering them compensation. Looking at it from the scammers' standpoint, it makes beautiful sense - after all, that way you're going to reach the ones who not only were dumb enough to be taken in the first time but who are still falling for it.

Two ideas. One, scammers only put in enough effort to fool the really gullible, and the great majority of people don't read well enough to see the linguistic markers. The bad guys don't want extremely literate people responding to these appeals.

Two, some scammers do write really well, and find themselves recruited by Bigger Operators. What's the robbing of a bank compared to the founding of a bank?

rm @10: They are deliberately, actively including obvious bullshit that is trivially detectable.

It's a filtering function: If you're not the kind of clueless user who would ignore that kind of error, they don't want you. If you DO ignore that kind of error, you're more likely to also ignore any further mistakes and give them money for their obvious scams.

The blatant errors exist *so that* the scammers don't waste time on the not-scammed-by-obvious-scams brigade.

I looked at the Jim's screen capture. I was struck that while on first glance it gives the illusion that it's a Firefox installer, the orange swash around the globe is not the firefox — it's an orange arrow.

Also interesting was the helpful 3 pt type in 10% grey at the bottom. Here's a transcription:

Disclaimer: We are not affiliated nor partnerered with Firefox. Firefox has not authored, participated in, or in any way reviewed this advertisement or authorized it. All trademarks, service marks, logos and/or domain names including the names of products and retailers are property of their respective owners.

Modified Installer: This website is distributing custom installers which are different from the originally available distribution. These new installers comply with the original software manufacturers policies and terms & conditions. However, they are not the originals. Optimum Installer is an install manager, which manages the installation of your chosen software. In addition to managing your download and installation, Optimum Installer will offer free popular software that you may be interested in. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows Add Remove Programs.

Rob, that sort of installer-with-extras gets used by some legitimate free software. They're sometimes a sort of advertising, but I am strongly disinclined to trust any software distributed in that manner. When the situation gets as murky-grey as this one, they don't make bargepoles long enough.

John, do you include our hosts in the category of "illegitimate websites"? I don't know what blogads.com's vetting process is, but I had the impression the MakingLight folks aren't directly involved (though I thought they had the ability to kick out ads they find objectionable after they've noticed them, but I could be mis-remembering).

John @13 - I'd observed a similar pattern of deliberate misspelling to weed out the wise and aware on Facebook; (un)amusingly, those posts still get forwarded ad nauseum. I suspect that says something about the average Facebook user.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)